In a recent blog Less is More: Focusing Your Third-Party Vendor Risk Assessments on the Basics we provided guidance for developing the list of questions to use when assessing the security posture of your third-party vendors. Your list of questions requires periodic review and updating. At NuHarbor Security we review the questionnaires we develop for our clients every six months and update the questions accordingly.
One of our clients recently shared a vendor information security assessment questionnaire they had received from one of their customers. One of the questions asked was whether our client allowed modem access to servers. Clearly this questionnaire hadn’t been updated to keep up with the times. An outdated questionnaire won’t help you accurately assess risk. An outdated questionnaire also reflects on your organization and may not be taken seriously by your vendors.
There are several reasons you might need to update your questionnaire. These include:
- Changes in Regulation or Compliance Requirements
- Technology and Workplace Trends
- Cloud Hosting Providers
- Changes in Your Business
- Evolving Threat Landscape
Regulations or Compliance Requirements
New York State’s 23 NYCRR 500 – Cybersecurity Requirements for Financial Services Companies is a good example. This regulation lists specific information security controls that should be in place such as the encryption of data at rest. Financial service companies that do business in New York should review their assessment questions to ensure they address the controls outlined in the regulation. New regulations can sometimes require the addition of several questions to your questionnaire. The EU General Data Protection Regulation (GDPR) is a good example of this. If you want to confirm GDPR compliance at the same time you review security controls, you will need to expand your question set. Expect to see similar regulations issued by other states and countries impacting other industries in the future.
Technology and Workplace Trends
As personal mobile device usage has increased, more people want to access everything from a single device. If a vendor permits access to their internal systems from employee owned devices, you will want to confirm that the vendor has appropriate protections in place. This might include a bring your own device (BYOD) policy and use of a mobile device management (MDM) solution. Do your vendors permit remote access for their employees? If so, you should review the controls they have in place to protect their systems and your data. Does your vendor outsource critical components of their operations? You should review how they confirm that fourth-party vendors have implemented appropriate controls.
Cloud Hosting Providers
Many of the physical controls related to data centers are now the responsibility of cloud hosting providers. If your vendor hosts their systems in the cloud, you will want to know the name of the cloud provider(s) and ask for the cloud providers compliance documentation. Your vendors should be performing annual third-party control assessments on their cloud providers. Ask about this process and if you can review SSAE SOC reports. The major cloud hosting providers now offer a variety of additional support services for a price. Make sure you understand which additional services your vendor has purchased. For instance, is the hosting provider contracted to provide server patching services to your vendor? An accurate risk assessment will require you understand which entity is responsible for which security control. We commonly see examples of vendors who incorrectly believe their hosting providers are providing controls such as vulnerability scanning and penetration testing. Hosting providers do scan and test their infrastructure but are not going to scan client servers unless a special service has been purchased.
Changes in Your Business and the Threat Landscape
New business lines or processes might impact your inventory of sensitive data. New processes or systems might change the way sensitive data is transmitted, processed or stored. These changes can affect the information security controls you need to review in your vendor assessments.
There are many online sources that you can use to research the ever-changing external treat landscape. Certification and training organizations like ISACA, (ISC)2 and SANS have blogs and online resources. There are security magazines like CSO that provide content. Research groups like Gartner also provide some publicly available information. Some of the best annual reviews and forecasts are provided by networking and security hardware solution companies. An online search for “security landscape” should get you started. Changes in the nature and focus of attacks may lead you to modify which controls you assess. For instance, many experts are seeing an increase in activity aimed at Internet of Things (IoT) devices. If connected devices play a critical role in supporting your business, you might consider adding an assessment question specifically about the controls implemented related to IoT devices.
Changes in your business, technology, regulations and the threat landscape often require updates to which controls you should assess. Review your vendor assessment questionnaire at least once a year to ensure that you are focused on the security controls that are relevant to your business. You can’t accurately access the risk of your third-party relationships if you are using your father’s assessment questionnaire. Make sure you keep yours relevant and fresh.
Our clients have chosen to outsource vendor risk assessments, and that choice often makes sense. This process is time consuming and using the experience of security professionals who do this regularly adds value to the results. If you choose to perform these assessments yourself, consider using our suggestions as you manage your process.